dgerzo / bruteforceblocker Goto Github PK

I'd recommend bringing your blacklist to GitHub somehow, so people can readily reference it and recommend updates.

If an IP address being looked up has a CNAME instead of a PTR, for example:

210.7.246.87.in-addr.arpa. 600 IN CNAME 210.0-255.7.246.87.in-addr.arpa.

The block subroutine assumes that the RR type is a PTR record, and triggers an error in the Net::DNS:RR::CNAME class by attempting to access the ptrdname method, which doesn't exist. The error is ugly:
`*** FATAL PROGRAM ERROR!! Unknown instance method "ptrdname"
*** which the program has attempted to call for the object:

210.7.246.87.in-addr.arpa. 600 IN CNAME 210.0-255.7.246.87.in-addr.arpa.

*** THIS IS A BUG IN THE CALLING SOFTWARE, which incorrectly assumes
*** that the object would be of a particular type. The type of an
*** object should be checked before calling any of its methods.

Net::DNS::RR::CNAME 1597 at /usr/local/sbin/bruteforceblocker line 129, line 1.
main::block("87.246.7.210") called at /usr/local/sbin/bruteforceblocker line 101
`

A patch that fixes it:

`diff --git a/bruteforceblocker.pl b/bruteforceblocker.pl
index 71c4f23..78354b8 100755
--- a/bruteforceblocker.pl
+++ b/bruteforceblocker.pl
@@ -127,6 +127,11 @@ sub block {
my ($IP) = shift or die "Need IP!\n";

 my $query = $res->search($IP, "PTR");

• while ($query && ($query->answer)[0]->type eq "CNAME") {

•   $query = $res->search(($query->answer)[0]->cname, "PTR");
  

• }

• my $RDNS = $query ? ($query->answer)[0]->ptrdname : "not resolved";

  if ($timea{$IP} && ($timea{$IP} < time - $cfg->{timeout})) {
  `

It seems that the regex matching does not work as it should be on the above mentioned config.
So when you have max_attempts set to 3 it was only catched tries on the 9th or 10th login.
In the part commented as "the core process" where you match the log lines I added the following line after the first one which for me solved this issue:
/.*Failed keyboard.from ($work->{ipv4}|$work->{ipv6}|$work->{fqdn}) port./i ||

Thx!
Regards,
Repcsi

After my last update to FreeBSD 12.0-RELEASE-p3 FreeBSD 12.0-RELEASE-p3 r345729 - amd64, bruteforceblocker runs forever on loading the IPs from your site. Also in the table file I have duplicates.
grep -c "someIP" /var/db/ssh-bruteforce
9
The main script spawns sometimes 30-40 bruteforceblocker processes and I found out this the hard way when I ran out ouf swap space...
I believe something has changed in the persistent pf table file format as well because now I cant load it if bruteforceblocker writes the IPs in it:
Enabling pf/etc/pf.conf:19: cannot define table robot: Invalid argument
pfctl: Syntax error in config file: pf rules not loaded
If I null out the table file it starts up again.

If this is a FreeBSD 12 error it will break bruteforceblocker so a working solution would be nice, or a way to lookup what version of OS the script runs on.

If I have the time I will try to proactively find out what is happening, but until this time I was lacking that kind of time :)
As before contact me if you need more info!

There isn't any license information of this software. So please consider adding it.
My preference is 2 or 3 clause BSD License :-).